On Mon, 30 Aug 2021, Dianne Skoll wrote:
I upgraded my web server to Debian 11 "Bullseye" last night and it
rather rudely removed Mailman,
Debian clearly warns users to check what packages might get removed before
upgrading the release. As might be expected when upgrading from a release
from two years ago, some packages may no longer be available.
That's because Mailman 2 is no longer supported.
Debian clearly states in their release notes that Mailman 2 will be
removed. You can't blame them because it needs Python 2 which is
definitely past end-of-life.
"Chapter 5. Issues to be aware of for bullseye
5.3.1. Noteworthy obsolete packages
The following is a list of known and noteworthy obsolete packages (see
Section 4.8, “Obsolete packages” for a description).
The list of obsolete packages includes:
...
Mailman mailing list manager suite version 3 is the only available version
of Mailman in this release. Mailman has been split up into various
components; the core is available in the package mailman3 and the full
suite can be obtained via the mailman3-full metapackage.
The legacy Mailman version 2.1 is no longer available (this used to be the
package mailman). This branch depends on Python 2 which is no longer
available in Debian"
I re-installed Mailman 2 from source, but I don't think that's a viable
long term option.
Not unless you are going to apply Python 2 and Mailman security patches
yourself - if they are even available reliably.
Mailman 3's documentation is also awful and frankly, the
software looks half-baked.
Having been exploring / installing / testing MM3 to replace this list's
current software I feel like this too at this time.
Has anyone had experience with Sympa? I'm
considering that as a replacement for my mailing lists.
No experience.
But Sympa DOES support proper From mail header rewriting so
as to not break DMARC, and it also support ARC, a more recent mail
extension for mailing lists specifically. Without these features a mailing
list will NOT be able to reliably deliver messages.
https://sympa-community.github.io/manual/customize/dmarc-protection.html
https://sympa-community.github.io/manual/customize/dkim-arc.html
DKIM has been introduced in Sympa version 6.1.
ARC has been introduced in Sympa version 6.2.38.
I'm not thrilled at their reported vulnerabilities in 2020:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sympa
I really do not like to see things like "allows remote attackers to obtain
full SOAP API" which could result in a reportable data leak and privacy
invasion. Also "a local privilege escalation from the sympa user account
to full root access" -- although I suspect machines that OCLUG members
would run a mailing list on aren't allowing ssh access to untrusted users.
(Fair reporting: here are the Mailman vulnerabilties reported:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman)
The downside of Sympa is that is is in Perl, which increasingly fewer
admins are familar with.
Sympa may be a great choice for you though!
Brett